Bug#278518: KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.

To: submit@bugs.debian.org
Cc: full-disclosure@lists.netsys.com, debian-security@lists.debian.org
Subject: Bug#278518: KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.
From: "Yanosz" <yanosz@gmx.net>
Date: Wed, 27 Oct 2004 15:45:21 +0200
Message-id: <[🔎] 200410271545.21782.yanosz@gmx.net>
Reply-to: "Yanosz" <yanosz@gmx.net>, 278518@bugs.debian.org

Package: Konqueror
Version: 3.2.2-1 (sarge)
Severity: Important

In contrast to other browsers like firefox, Konqueror allows JavaScript to 
access other frames in a frameset, loaded with from different (sub)domain. By 
that enclosed / secret data can be read through a hidden frameset.
See http://groenndemon.de/bla for demonstration.

(I'd like also to thank the webmaster for motivating me to explore that issue 
and setting a wegpage up for demonstration)

(Translation: Action Ändern -> Change action
Passwort klauen -> steel password
Abschicken -> submit)

Please verify this issue on other versions - 3.1.4 seems to be affected as 
well.

Keep smiling
yanosz

Reply to:

Follow-Ups:
- Bug#278518: marked as done (KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: kdemultimedia_4:3.3.0-1(ia64/unstable): FTBFS: compile errors
Next by Date: Bug#278518: marked as done (KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.)
Previous by thread: Processed: Re: kdemultimedia_4:3.3.0-1(ia64/unstable): FTBFS: compile errors
Next by thread: Bug#278518: marked as done (KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.)
Index(es):
- Date
- Thread